Time
1 hour 21 minutes
Difficulty
Intermediate
CEU/CPE
2

Video Transcription

00:00
Hello, My name's David. Welcome to analyzing attacks.
00:05
A couple quick reminders as we get started in lab one. Often times this is overlooked.
00:11
So are you saying
00:12
memory analysis reveals a ton of details that you may not get from other kinds?
00:18
Other announces. So
00:22
I highly recommend that you incorporate memory analysis into your incident, handling her to call processes procedures. Now we talked about different tools
00:37
as well. When he comes in, every house is. Do you know what some of us were?
00:42
Yes, *** imager or captured
00:47
right? Like we're good
00:50
motility. There's just some of the big ones that we discussed in some of our prior offenses together. Now,
00:57
for the purpose of this lab, I want us to look at Red Line as an but capturing an analysis tool because man, yet has Red Line available to you for free online. You can download it and solid in your system for both analysis and also capturing movie
01:15
revenge more hands on abortion
01:18
of these episodes. Together
01:21
we will actually take a look at some of those as well, however, but who would get to that point? We didn't need to cover this scenario in a couple of other tidbits of information. So your scenario on end user called Help Bess and reported that she thinks click on the link
01:38
in an email that was fishy.
01:42
So the help that's being helped ask said, Mmm
01:47
regime
01:49
Luscious link.
01:51
That's contact the Incident Response Team or the Cyber Security Team. But whatever name in there that you're more those used to. So they boarded the ticket over to you and says, You're a member of the incident response team. Your incident, you know, you get it.
02:07
So you run. So maybe scans on. It's just a man. Be able to turn up any suspicious heaven.
02:13
What would your next steps be?
02:16
And I know open purposes the slab, of course, removing directly into memory examination.
02:22
There are a ton of different ways you can purchase this. Uh, you could do a long review. If you're utilizing a sim, um,
02:30
you could do registry forensic possible. You could do an entire forensic, capture the system and do a forensic examination. Now, couple words caution their log analysis may not show everything that you need.
02:46
They could be infected but not communicating. Ah, a lot of malware is set to beacon on. If you're not familiar with that term, Attackers know what us good people are doing. So they craft their mouth where to beacon
03:04
and instead of continuously trying to communicate because more noisy and loud
03:09
piece of malware is
03:13
easier is to figure out that it's there. So you could do a lot of review not seeing any suspicious activity.
03:22
So you may write it off, whereas the system is affected in the mouth. Where is designed not to actually communicate for a while
03:31
you could miss, um, you could if you have the ability to download the same email with the link and research that link on and then possibly get the malicious link to yourself, she download whatever it was there it was to be downloaded.
03:50
Act pretty fantastic. And he could do that as well, because then you get
03:53
the suspicious file that you could do an examination with, and
04:00
you could do mount where reverse engineering on it. You could, uh, do what we're gonna do. You could actually take that
04:08
malicious files that we think is cautious at this point on. Put it in a virtual machine and no memory catcher and also do other forms of forensic examination on the virtual on the virtual machine that you've infected.
04:23
Pretty good standard now these very widely across his inspectors and on the death of team. And your incident wants process. So it's kind of hard and allowed like this actually deal with all those be aware of for this lab. We want to use the Indians Red line. You can find it at the link
04:43
located there and also in the lab document that is veiled for you in the course where with Here,
04:47
Uh, please download the file on ensure that you have it installed on your system and that it is operating in here is a screen capture to show you what Ren line looked like when you first started up. And we'll take a closer look at this as we proceed.
05:06
Bring her into the labs. And don't panic at this point.
05:10
Um, when you're getting installed, we'll take care of that when we get to it. Now,
05:15
do you get a good mouth where sample? They're all con, different places online that you can go to for the purpose of this lab. We I went thio Now air traffic analysis dot net on downloaded one of newest ones that they have their the links for you there on the screen as well. Also, the
05:32
then the lamb document that you can actually go out and refer to as well,
05:38
Now we're caution here. This is
05:42
live mala ware.
05:45
Treat it as such. If you do do this lab and follow through with that ensure you're properly protected and take precautions to not, in fact, your own machine.
05:58
I slowed down to say that because you have to be terrible year. Danger, danger, Danger.
06:06
Use the windows vm to do your analysis. Don't fire this piece of malware awful in your home system Were inside that work or anything like that because its riel Mauer, I know you're probably sitting there rolling your eyes,
06:24
drumming your fingers on the task. Why's he continuing to repeat this? Well, I have to because
06:31
we're human and we make mistakes. I make mistakes, you make mistakes. It's a good side of you. Admit that you make mistakes because we are dealing with actually really true malicious files. I feel the need to stress to you that you don't want to infect your system now. Why is that? Ah,
06:51
because when I downloaded this on my
06:55
system,
06:56
my windows defender instantaneously fired off alert and said, Hey,
07:03
threat found threat bound. Warning. Warning, Warning. Remember the little robot back there?
07:10
Here it is. Now, depending upon what kind of anti buyers or anti Mauer that you're running on your system, you can either shut it off, get it downloaded and transferred over to your B m, or you can allow it to be present on your system. Whatever you do, though,
07:30
don't double click this on your home system. Were in your in our environment, what corporate or home? Because
07:36
it's really all. So Please, please be careful with this stuff again. Few more words of caution before we dig it. Always remember the malware is dangerous. It's like a box of dynamite.
07:50
It could go off. And if it goes off, you could infect your system, resulting you happen to reinstall your operating system, do a cleanse and all that. Now you want to use of'em to experiment, utilize schools and in a lot of our forces here on Sai Berry, there are
08:07
references to virtual machines for the purpose of this lab. We're not going to del too deep into it, But you do need to intrude the juvie. Emma's properly said minute and able to communicate with you. You're not more covert network. It's kind of standing step, but you need to remind you of it.
08:24
As you go past this course experiment with other pieces of malware, different tools, volatility, FBK damage. To enhance your ability to conduct memory now lists
08:35
this lab is not the end all be all memory analysis. I just want you to know that up front is one tool and one piece of Mauer. So you're you're going to learn more. As you experiment with different pieces of malware.
08:50
Most of your online repositories would use the password of ineffective, as you can see there on the screen. So put that in your memory hole somewhere is that you don't forget it. If you attended other courses where they use other passwords,
09:09
he had in mind also, But on the site that we are going to get this particular consider Matt where the password is infected in. You do need to know that and remember it because unzip the file of extracting now where from it, you need to know what the password is or
09:28
you'll quickly we're frustrated,
09:30
not be able to follow along if you have any questions as we get prepped here to jump into this, Lamb rejected me. David's 135 on Cyber. Happy to talk to you. Let's keep going.

Up Next

Analyzing Attacks for Incident Handlers

In Analyzing Attacks for Incident Handlers, David Biser explains memory analysis and how to use it to uncover information about a computer. He demonstrates this process of analyzing an attack using labs such as a Redline lab and a VM and Malware lab to conduct an analysis on a computer.

Instructed By

Instructor Profile Image
David Biser
Incident Response Engineer at Iron Mountain
Instructor